| 1 |
On Wednesday 09 January 2008 18:16:24 Ciaran McCreesh wrote: |
| 2 |
> On Wed, 09 Jan 2008 17:27:52 +0000 |
| 3 |
> |
| 4 |
> Roy Marples <roy@×××××××.name> wrote: |
| 5 |
> > On Wed, 2008-01-09 at 17:01 +0000, Ciaran McCreesh wrote: |
| 6 |
> > > 3.5.5 was good enough to be keyworded stable at one point. Thus, it |
| 7 |
> > > can't be *that* bad. |
| 8 |
> > |
| 9 |
> > So what happens if a flaw is discovered in KDE 3.5.5 that allows root |
| 10 |
> > access? |
| 11 |
> |
| 12 |
> Then the one particular part of 3.5.5 that's affected gets fixed and |
| 13 |
> priority keyworded. |
| 14 |
|
| 15 |
Lets say that there's just 3.5.5 and 3.5.8 in the tree. |
| 16 |
3.5.5 is keyworded stable mips |
| 17 |
3.5.8 doesn't have the mips keyword because it's horribly broken on mips |
| 18 |
|
| 19 |
A security flaw is discovered in 3.5.5, the solution is to upgrade to 3.5.8. |
| 20 |
This flaw involves code that has radically changed from 3.5.5 to 3.5.8. For |
| 21 |
the sake of argument say it will take 1 month of time for anyone to create a |
| 22 |
patch for 3.5.5 that fixes the flaw OR makes 3.5.8 magically work on mips. |
| 23 |
|
| 24 |
During this month, what do you propose happens to the end user? |
| 25 |
|
| 26 |
The choices are |
| 27 |
1) Carry on as we are, user is blissfully unaware of security flaw and doesn't |
| 28 |
have time to read GLSA's, etc has he's busy with real life thereby giving |
| 29 |
Gentoo the reputation of shipping insecure software. |
| 30 |
2) Force the user to spend a few minutes adding 3.5.5 to a package.unmask, |
| 31 |
thereby acknowledging the security flaw but by his own choice keeping the |
| 32 |
highly insecure software. |
| 33 |
|
| 34 |
Thanks |
| 35 |
|
| 36 |
Roy |
| 37 |
-- |
| 38 |
gentoo-dev@l.g.o mailing list |
Archives